Re: Ethics (testing and mitigation)

Is it ethical for a security testing (VA, Pen-test, etc) shop to provide
mitigation services? If so, under what context? How to guard against the
tendency to try to sell a customer the solutions that profit you the
most instead of those that the customer needs the most? Should services
be sold as a single blanket package or priced in such a way as to
minimize this effect? How does this damage your credibility as an
impartial tester?

You don't have to answer all of this, just looking for discussion along
these lines.
--
Tony L Turner CISSP/CISA/GSEC/ITIL
IT Security/Disaster Preparedness Consultant

Tony,

I don't necessarily think it is unethical. I think it can easily
become problematic.

For that reason I generally won't contract other services from vendors
we use for VA or pentesting. I'd also point out that pentesting is a
distinctly different set of skillsets from implementing security and
controls. The fact that an organization is good at pentesting does not
mean that organization is a good choice for implementing an IDS or
configuring a firewall (doesn't mean they aren't, just that they don't
go hand in hand).